Skip to Content
Technical Articles
Author's profile photo Jamie Cawley

Accessing the built-in observability tools of Kyma runtime

Included with Kyma is the tool Grafana which provides a centralized view of the logs and a number of dashboards to view various metrics of workloads running in the Kyma runtime. For more information you can find a nice overview of Grafana by Gaurav Abbi.

The latest release of Kyma now utilizes SAP Identity Authentication Service IAS for authentication and Kubernetes Role Based Access Control (RBAC) to manage authorizations within the runtime. Kubernetes provides a number of resources, such as deployments, config maps, etc, that users interact with via the Kubernetes API. The API itself can also be extended to provide additional functionality, this is how Kyma API Rules are provided. RBAC provides a mechanism to control the access of the resources of the Kubernetes API by providing verbs, read, create delete, that control user access to these resources.

Unfortunately Grafana is not part of or an extension of the Kuberenetes API, so it does not support the RBAC methodology.  For this reason Grafana by default is not exposed externally, but there are a few options to do so. Most effortlessly, after setting up kubectl, you can use the port-forward feature of kubectl to access Grafana locally. You also have the option to configure your own custom SAP IAS tenant to manage the access using the provided Oauth2 Proxy. You can find the configuration steps for both of these methods within the help documentation. The Oauth2 Proxy also supports a number of other providers, such as Github, which can be used to manage access. The next sections will walk through this procedure.


Start by creating a new OAuth Application and providing the values. You can find the cluster domain URL of your Kyma runtime on the main dashboard, listed under API Server Address, replace api with Grafana.

  • Application Name: Grafana

  • Homepage URL: https://grafana.<your cluster domain>

  • Authorization callback URL: https://grafana.<your cluster domain>

  • Choose Register application


On the next screen choose the option to generate a new client secret



Copy both the Client ID and the Client secret. These values will be used in the next steps.

Configuration of the Oauth2 Proxy

The configuration of the Oauth2 proxy is accomplished by creating a Kubernetes secret which is read by the proxy once it is restarted. There are a number of different configuration parameters of the provider to adjust how it works. Please note that a parameter listed as –github-user will be assigned within the secret as OAUTH2_PROXY_GITHUB_USER. Using the script below, replace the client Id and secret from the github application and your github email address. Multiple email addresses can be added by comma separating them. The secret could also be created within the dashboard, by choosing the namespace kyma-system and choosing the menu option Configuration -> Secrets and using the option to Create Secret.


kubectl -n kyma-system create secret generic monitoring-auth-proxy-grafana-user \
	--from-literal="OAUTH2_PROXY_CLIENT_ID=<your client id>" \
	--from-literal="OAUTH2_PROXY_CLIENT_SECRET=<your client secret>" \
	--from-literal="OAUTH2_PROXY_PROVIDER=github" \
	--from-literal="OAUTH2_PROXY_GITHUB_USER=<your email address>" \


After the secret has been applied restart the Oauth2 proxy pod by running

kubectl -n kyma-system rollout restart deployment monitoring-auth-proxy-grafana


After the pod has restarted choosing the link to Grafana within the Kyma dashboard under the Observability menu option, should now prompt you requesting authorization. After choosing Authorize you should now be redirected to Grafana.


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Ian Jiang
      Ian Jiang

      Hi Jamie,

      Thanks for your blog. It helps me a lot. I got a question, how can I prevent all github user to access my Grafana dashboard on BTP kyma runtime?

      I thought "OAUTH2_PROXY_GITHUB_USER" as a white list who got the permission to access the Grafana. However, I forward the Grafana address to my colleague who is not in OAUTH2_PROXY_GITHUB_USER. Then he can directly access the Grafana dashboard with his github account.



      Author's profile photo Jamie Cawley
      Jamie Cawley
      Blog Post Author

      Did you try assigning the value OAUTH2_PROXY_GITHUB_USER

      There's also values for the org, team and repo that could be used which is shown in the linked provider documentation.